Best practices for threat management

With threats of all types on the rise and increasing costs of security breaches growing (analyst approximate $840,000 per breach), enterprises are investing in numerous threat detection and “early warning’ solutions in an attempt at mitigating risk and gaining some level of control.

Many solutions are capable of identifying potential threats and establishing relative severity, however they are often limited to a single source of knowledge, which means IT has to manually investigate each individual event, policy violation or otherwise suspicious activity. Not only is this process time consuming, it is also costly and prone to human error in the face of the high volume today’s complex threats.

As a result, enterprises are supplementing traditional anti-virus (AV), intrusion detection/prevention (IDS/IPS), and security information and event management (SIEM) systems with advanced malware detection (AMD) platforms, threat intelligence feeds, and even “big-data-for-security” solutions. While these products are effective at detecting suspicious activities and threats, they’re often limited in their ability to prevent what they find from having an impact. Typical shortcomings include having insufficient context, limited enforcement capabilities, and/or lack of coverage.

Insufficient context. Existing solutions are often limited to a single source of information, dependent on an individual event, policy violation or otherwise suspicious activity. In such cases, there often isn’t enough contextual information to verify a threat or to elevate the potential threat to a higher priority.

Limited enforcement capabilities. Many threat detection solutions are designed to only discover threats, making them passive by design. Those that may have detection and prevention capabilities are often deployed in “tap’ or “span’ mode to minimize network architecture changes or the impact on network performance, effectively removing them from inline protection against detected threats. Therefore, any containment or remediation steps require a time consuming, manual process.

Lack of coverage. Even if a solution has sufficient context and the ability to enact an appropriate response, a third limitation involves the scope of that response. Can the solution enforce containment on more than one device type or across multiple locations? How much manual intervention is needed by the security team to re-configure hundreds of firewalls and proxies in a multi-vendor, geographically diverse network environment?

In addition to solution limitations, IT security teams have to be thoroughly trained to work with a complex security environment, which means workflow needs to be distributed properly for the best outcome.

There is a gap in most organizations between an organization’s threat detection systems and policy enforcement infrastructure and enforcement processes. Bridging this gap is an area where existing workflow designs struggle. If a comprehensive response solution is in place, threats and attacks can be managed rapidly and with very little disruption or damage.

There are several layers to security threat management that should be considered before a company can feel confident that they are prepared for an attack. Key areas for threat management include:

1. Threat detection. The initial step is to know there was an attack or compromised system. This is the “detection phase” of threat management, which is core to any IT security plan. Many tools say they “detect and prevent” but many actually only detect a threat as customers choose to run them in span or tap mode (usually for performance reasons.) Detection increases the number of infection signals, such as zero day attacks, APTs, or other system compromises, but further investigation is often required to validate the threat before action can be taken.

2. Existing preventative steps. Even though you have detected a threat, have you actually contained it using existing tools or security devices? Detection does not mean protection. Hundreds of alerts may be received weekly, but is there a way to verify that existing protection layers have been effective or are going to be effective? The only way to know is to dive deeper into the context of the threat.

3. Context awareness of the incident. There are two core context considerations – internal and external. Internal context includes understanding the affected systems’ potential impact and priority as it relates to individuals or departments within an organization; external context includes understanding the infection vectors and their origination from outside sources. If an attack has reached internal systems, can you confirm whether it was the CFO’s PC or a machine in the mail room? Manually pulling user or indicators of compromise (IOC) data from each potentially infected system may be necessary to confirm that an infection has occurred. How quickly security teams can build this picture is a critical component of response time.

4. Contain. Armed with rich threat context, security analysts can make sure sensitive data sources, key personnel, or entire departments are treated with high priority and receive an elevated response. Protective actions can include limiting communications, blocking IPs and domains, network segment isolation, increased logging, additional scans and more. One key aspect of containment is to prevent the exfiltration of data and further communication with external command and control servers. This key step often involves the update of block lists for dozens if not hundreds of devices often from multiple vendors. Automating enforcement updates provides the best assurances, however, if the update is done manually, verify that all necessary updates to all devices have been completed. It just takes one out-of-date device to allow additional exfiltration of intellectual property or to allow an infection to spread.

5. Confirm. Next is to evaluate that enforcement is in place. Are all enforcement devices really updated and providing protections? The IT security should maintain an audit trail of all responses over time. In a large-scale environment, ensuring up-to-date enforcement of current and newly added devices can be subject to human error if the audit trail is maintained manually and updates are performed manually. Remember that enforcement is subject to priorities influenced by internal and external context. This means that after high priority internal systems and networks are secured, there may be another round of analysis and enforcement needed for incidents deemed a lower priority.

6. Block list management. Understand all the objects, rules, and lists in place. Large networking environments mean large enforcement lists and potentially complex policies. These must be organized, shared with the security team, and managed centrally to limit duplicate efforts and ensure consistent security. When responding to frequent or complex security events, your network is only as strong as its weakest link, make sure to double check lists, rules, and object updates to ensure consistency.

7. Test everything. Everything should be tested more than once to be sure both automation and manual processes are properly in place. Remember that even if you don’t test, there are more than enough hackers and penetration testers out there to test your systems for you. At a minimum, perform a conformance test and plan larger regression tests every quarter.

Threat management is a critical process that involves detection, investigation, analysis, and enforcement, with human involvement at the heart of the overall process. IT security staff and their teams are ultimately responsible for managing, reacting and securing corporate networks, but with the scale and complexity of threats, investigations, and multi-vendor enforcement devices, there are many opportunities for delay and human error.

With smart best practices and automation in place, IT security teams save time and reduce risk with a solid, end-to-end threat management and response process. With that in place, the gap between threat detection and enforcement can be closed, and companies have a better chance at remaining secure by reacting quickly when there is an attack.